search

rubygems / rubygems.org

The Ruby community's gem hosting service.
https://rubygems.org
MIT License
2.31k stars 906 forks source link

Add an authorization plugin #2967

Open sonalkr132 opened 2 years ago

sonalkr132 commented 2 years ago

Historically, ownership was the only authorization check in our code. All profile-related checks were handled with current_user. With the introduction of api_key, ownership_call and ownership_requests, we have authorization checks like following sitting awkwardly in the controller (sometimes even model).

# app/controllers/ownership_calls_controller.rb#L4
before_action :render_forbidden, unless: :owner?, only: %i[create close]

# app/controllers/ownership_requests_controller.rb
 render_forbidden && return unless current_user.can_request_ownership?(@rubygem)

 # app/controllers/api/v1/owners_controller.rb
 return render_api_key_forbidden unless @api_key.can_add_owner?

 app/models/ownership_request.rb#L24
 can_close?(user) && update(status: :closed)

It would be nicer if we moved all these checks out of the controller and let an authorization plugin like cancancan or pundit handle it.

Is your feature request related to a problem?

code health

Describe the solution you'd like

Add cancancan or pundit

simi commented 4 months ago

Pundit is added now. Would it make sense to migrate those mentioned checks to Pundit @segiddins? It seems it is used used for Avo only currently.

segiddins commented 4 months ago

Yes, i think using pundit in more places makes sense!